How to Configure a Managed Account to use a Domain users credentials to establish a PSM session (4310670)

How to Configure a Managed Account to use a Domain users credentials to establish a PSM session

For a managed system that exists in the TPAM Appliance, how can a Managed Account be created, that uses a Domain Account already managed by TPAM, to authenticate to the PSM session?

To allow a TPAM user to request a Privileged Session to the Managed System that logs in with a domain account, perform the following steps:

Please Note: The following assumes that the Domain Controller and Domain User are already added as Managed System and Managed Account.

1. Create a new account for the Managed System

2. Enter an Alias in the “Account Name” field

3. Do not provide a password

4. Ensure that “Password Management” is set to “None”

5. Click the “Save Changes” button

6. Select the “PSM Details” tab (for some versions this appears as the “EGP Details” tab)

7. Select the “Enable EGP Sessions” checkbox

8. Configure the rest of the General tab accordingly

9. Select the “Session Authentication” tab

10. Click the “Use Windows Domain Account” option and select the Domain account that the PSM session will use to log into the system (the domain user must have permissions on the system to connect via RDP). 

Note: if the Domain account is not listed in the drop down then it needs to be added on the "Windows Active Dir" system first.

11. Ensure that the account has correct permissions for a user to request the PSM Session on the Permissions tab (if running version 2.3, please set the permissions on the managed system).

12. Click “Save Changes”

Prior to 2.5.912 this is feature only available for "Windows" systems. After 2.5.912, the functionality has been extended to include the following platforms :
Cisco CATOS, Cisco Pix, Cisco Router (SSH), FreeBSD, H3C, IBM HMC,  Nokia IPSO, Tru64, and all Linux / Unix systems.

TPAM will only provide the domain credentials for a PSM session if selected from the PSM Details > Session Authentication tab > Use Windows Domain Account option with normal accounts, or if the :prompt: account is being used then you must use the \\ for the username per the above.

Additional Note: In the above scenario we set the Password Management to None. If Password Management is required for the Domain User account, please follow the steps detailed in Knowledge Base article 91406 (Link provided below)

How To: Configure Automatic Domain Password Management?

PSM File Transfer does not support the settings from PSM Connection profile, so if the PSM logon process has been customized this way, the File Transfer would fail if the target system (non-windows) does not support default (non-customized) logon format.